AD DNS query

  • 89 Views
  • Last Post 4 weeks ago
ahobbs posted this 4 weeks ago

Hey all

I have a query about AD DNS records.

We are having random connectivity issues with a couple of Domain Controllers with cross forest authentication/lookups.

We have a 2 way forest trust between the two AD Forests, with DNS conditional forwarders configured for name resolution.

In the target forest we have 4 x Windows 2008 R2 Domain Controllers all with AD Integrated DNS installed.

When I do an NSLOOKUP on the TARGET domain or check the Name Servers tab on the DNS Zone, I see 5 records being returned instead of 4 x AD DNS servers.
The extra DNS entry of USDC500 is a legacy AD/DNS server that is no longer on the domain, but a DNS A record was created to point it to NADC001 just in case we had applications hardcoded to use USDC500.

USDC500 192.168.128.11
NADC001 192.168.128.11
NADC002 192.168.128.12
NADC003 192.168.128.13
NADC004 192.168.128.14

This maybe a stupid question but is this an acceptable way to configure our primary DNS zone or handle AD authentication? We have problems enumerating group memberships across Active Directory Forest for authentication and trying to rule out DNS.

Thank you

A

Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Order By: Standard | Newest | Votes
kebabfest posted this 4 weeks ago

Group enumeration sounds more like a problem with token bloat. There a reg update you do on the ad controllers to increase the number of groups allowed. I think the hard limit is 1024. Correct me if I am wrong here.The only other time I have seen this type of problem is if there is replication issue between dcs and not all the dcs are gcs. 
On Tue 24 Apr 2018, 20:16 Amanda Hobbs, <ahobbslist@xxxxxxxxxxxxxxxx> wrote:
Hey all

I have a query about AD DNS records.

We are having random connectivity issues with a couple of Domain Controllers with cross forest authentication/lookups.

We have a 2 way forest trust between the two AD Forests, with DNS conditional forwarders configured for name resolution.

In the target forest we have 4 x Windows 2008 R2 Domain Controllers all with AD Integrated DNS installed.

When I do an NSLOOKUP on the TARGET domain or check the Name Servers tab on the DNS Zone, I see 5 records being returned instead of 4 x AD DNS servers.
The extra DNS entry of USDC500 is a legacy AD/DNS server that is no longer on the domain, but a DNS A record was created to point it to NADC001 just in case we had applications hardcoded to use USDC500.

USDC500             192.168.128.11
NADC001             192.168.128.11
NADC002             192.168.128.12
NADC003             192.168.128.13
NADC004             192.168.128.14

This maybe a stupid question but is this an acceptable way to configure our primary DNS zone or handle AD authentication? We have problems enumerating group memberships across Active Directory Forest for authentication and trying to rule out DNS.

Thank you

A

Forum info: http://www.activedir.org
Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

webster posted this 4 weeks ago

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10)

 

Maximum is 1015.

 

"Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately

1,015 groups."

 

Thanks

 

 

Carl Webster

Citrix Technology Professional Fellow

| IGEL Tech Community Insider | Parallels VIPP

http://www.CarlWebster.com

The Accidental Citrix Admin

 

show

kebabfest posted this 4 weeks ago

Off the top of my head the right reg key ( the new right one) entry number is 65356. Can't remember the key name. Am I close ?   
On Tue 24 Apr 2018, 21:17 Webster, <webster@xxxxxxxxxxxxxxxx> wrote:
















https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc756101(v=ws.10)

 

Maximum is 1015.

 

"Security principals (that is, user, group, and computer accounts) can be members of a maximum of approximately

1,015 groups."

 

Thanks

 

 

Carl Webster

Citrix Technology Professional Fellow

| IGEL Tech Community Insider | Parallels VIPP

http://www.CarlWebster.com

The Accidental Citrix Admin

 

show

ahobbs posted this 4 weeks ago

Hello
The group enumeration works

show

kebabfest posted this 4 weeks ago

Is replication working as it should to the 2 unemurating dcs and are they gcs ? 
On Tue 24 Apr 2018, 21:48 Amanda Hobbs, <ahobbslist@xxxxxxxxxxxxxxxx> wrote:
Hello
The group enumeration works

show

ahobbs posted this 4 weeks ago

Yes, first thing I checked. All replicates fine, all are GCs as single forest single domain.
Used port query to check all the ports and they seem fine, tracert completes the same route as the working DCs.


show

idarryl posted this 4 weeks ago

Check for event id 31, that signals token bloat.  Have you checked MaxTokenSize is the same on each DC, or configured a GPO to apply to all DC's?  
Darryl

show

barkills posted this 4 weeks ago

We have problems enumerating group memberships across Active Directory Forest for authentication and trying to rule out DNS.

show

Close